Here's a simple guide for how I managed to bill one of my customers as is now mandated by law in Italy.
Create a new virtualbox machine
I would never do any of this to any system I would ever want to use for anything else, so it's virtual machine time.
- I started virtualbox, created a new machine for *buntu 32bit, 8Gb disk, 4Gb RAM, and placed the .vdi image in an encrypted partition. The web services of Infocert's fattura-pa requires "Java (JRE) a 32bit di versione 1.6 o superiore".
- I installed *buntu 12.04 on it: that is what dike declares to support.
- I booted the VM, installed virtualbox-guest-utils, and de sure I also had virtualbox-guest-x11
- I restarted the VM so that I could resize the virtualbox window and have *buntu resize itself as well. Now I could actually read popup error messages in full.
- I changed the desktop background to something that gave me the idea that this is an untrusted machine where I need to be very careful of what I type. I went for bright red.
Install smart card software into it
apt-get install pcscd pcsc-tools opensc
- In virtualbox, I went to Devices/USB devices and enabled the smart card reader in the virtual machine.
- I ran
pcsc_scanto see if it could see my smart card.
- I ran Firefox, went to preferences, advanced, security devices, load. Module
name is "CRS PKCS#11", module path is
- I went to https://fattura-pa.infocamere.it/fpmi/service and I was able to log in. To log in, I had to type the PIN 4 times into popups that offered little explanations about what was going on, enjoying cold shivers because the smart card would lock itself at the 3rd failed attempt.
- Congratulations to myself! I thought that all was set, but unfortunately, at this stage, I was not able to do anything else except log into the website.
Descent into darkness
Set up things for fattura-pa
- I got the PDF with the setup instructions from here. Get it too, for a reference, a laugh, and in case you do not believe the instructions below.
- I went to https://www.firma.infocert.it/installazione/certificato.php, and saved the two certificates.
- Firefox, preferences, advanced, show certificates, I imported both CA certificates, trusted for everything, all my base are belong to them.
apt-get install icedtea-plugin
- I went to https://fattura-pa.infocamere.it/fpmi/service and tried to sign. I could not: I got an error about invalid UTF8 for something or other in Firefox's stdandard error. Firefox froze and had to be killed.
Set up things for signing locally with dike
- I removed icedtea so that I could use the site without firefox crashing.
- I installed DiKe For *buntu 12.04 32bit
- I ran dikeutil to see if it could talk to my smart card
- When signing with the website, I chose the manual signing options and downloaded the zip file with the xml to be signed.
- I got a zip file, unzipped it.
- I loaded the xml into dike.
- I signed it with dike.
- I got this error message: "nessun certificato di firma presente sul dispositivo di firma" and then this error message: "Impossibile recuperare il certificato dal dispositivo di firma". No luck.
Set up things for signing locally with ArubaSign
- I went to https://www.pec.it/Download.aspx
- I downloaded ArubaSign for Linux 32 bit.
- Oh! People say that it only works with Oracle's version of Java.
sudo add-apt-repository ppa:webupd8team/java
apt-get install oracle-java7-installer
- During the installation process I had to agree to also sell my soul to Oracle.
tar axf ArubaSign*.tar*
java -jar ArubaSign.jar
- I let it download its own updates. Another time I did not. It does not seem to matter: I get asked that question every time I start it anyway.
- I enjoyed the fancy brushed metal theme, and had an interesting time navigating an interface where every label on every icon or input field was truncated.
- I downloaded https://www.pec.it/documenti/Manuale_ArubaSign2_firma%20Remota_V03_02_07_2012.pdf to get screenshots of that interface with all the labels intact
- I signed the xml that I got from the website. I got told that I needed to really view carefully what I was signing, because the signature would be legally binding
- I enjoyed carefully reading a legally binding, raw XML file.
- I told it to go ahead, and there was now a
.p7mfile ready for me. I rejoiced, as now I might, just might actually get paid for my work.
Try fattura-pa again
Maybe fattura-pa would work with Oracle's Java plugin?
- I went to https://fattura-pa.infocamere.it/fpmi/service
- I got asked to verify java at www.java.com. I did it.
- I told FireFox to enable java.
- Suddenly, and while I was still in java.com's tab, I got prompted about allowing Infocert's applet to run: I allowed it to run.
- I also got prompted several times, still while the current tab was not even Infocert's tab, about running components that could compromise the security of my system. I allowed and unblocked all of them.
- I entered my PIN.
- Congratulations! Now I have two ways of generating legally binding signatures with government issued smart cards!
I shut down that virtual machine and I'm making sure I never run anything important on it. Except, of course, generating legally binding signatures as required by the Italian government.